CY2550 Midterm

What is exploitation?

taking advantage of something for personal gain

What is an example of exploitation?

When the phone phreakers used their knowledge of the phone network to get free phone calls (exploiting a "bug" in the phone system -- by blowing a whistle at the phone system it tricked the phone into thinking they paid and the network responded in kind)

OR

If Justin's students had cloned other people's key cards and used it to get into THEIR rooms (not their own rooms)

What is exploration?

use of knowledge to do things NOT for your own personal gain -- essentially want to see if you can do it

What is an example of exploration?

When the phone phreakers started they used their knowledge of the phone network to host group calls, looping around the planet, and locating strange corners on the phone system.

OR

When Justin's students wanted to see if they could clone a key card and trying it on their OWN door

What is vulnerability?

identified weakness within software, hardware or procedures

What is an example of a vulnerability?

employees at risk for phishing emails who do not undergo cybersecurity training; having a set schedule with a stalker

What is threat?

tactic or specific behavior that exploits a vulnerability within a device/procedure which could result in damage or destruction of assets

What is an example of a threat?

phishing emails sent to new, untrained employees

What is risk?

likelihood assets or personal info may be damaged or destroyed aka the likelihood that an attack/threat occurs via exploit of vulnerability

What is an example of risk?

A new employee who has no knowledge of cybersecurity procedures and is unaware of phishing emails is at high risk of being exploited

What is ad hoc security?

security in response to something or for a specific purpose

Why does ad hoc security rarely work?

Have you considered all possible attackers (what they want, why they want it, how willing they are to get it); Considered all possible attack surfaces (is the network secure, the OS secure, the hardware secure, are people secure); Weighed the tradeoffs of mitigations (costs --> financially feasible, alternative forms of risks, burden placed on users)

What is threat modeling?

process of systematically identifying threats faced by system

What is the process of threat modeling?

1. identify things of value you want to protect

2. enumerate the attack surfaces (physically, in person, internet, etc)

3. hypothesize attackers and map them to (a) things of value they want from you and (b) their ability to target vulnerable surfaces

4. survey mitigations

5. balance the costs vs the risks

What is the key idea of security?

deter the attacker from targeting your systems by making it so hard to gain access that it is not worth it to the attacker

What are the key factors for attacks?

when (before, during, after), where (local or remote), how (passive or active)

What is an attack that occurs before?

while an item is in their possession before it is being sent somewhere

What is an example of an attack that occurs before?

a. an employee at Amazon is not happy with Amazon because they are missing promotions so they insert malicious software on devices before shipping them out

b. inserting a USB/virus into a device after leaving it somewhere

c. inserting malware into a device and triggering it after you sell your computer to someone else

a. an employee at Amazon is not happy with Amazon because they are missing promotions so they insert malicious software on devices before shipping them out

What is an attack that occurs during?

item is in your possession

What is an example of an attack that occurs during?

a. an employee at Amazon is not happy with Amazon because they are missing promotions so they insert malicious software on devices before shipping them out

b. inserting a USB/virus into a device after leaving it somewhere

c. inserting malware into a device and triggering it after you sell your computer to someone else

b. inserting a USB/virus into a device after leaving it somewhere

What is an attack that occurs after?

when device is no longer in their possession

What is an example of an attack that occurs after?

a. an employee at Amazon is not happy with Amazon because they are missing promotions so they insert malicious software on devices before shipping them out

b. inserting a USB/virus into a device after leaving it somewhere

c. inserting malware into a device and triggering it after you sell your computer to someone else

c. inserting malware into a device and triggering it after you sell your computer to someone else

What is a local attack?

does the attack require close proximity?

What is an example of a local attack?

a. hijacking a phone's bluetooth while walking past them

b. stealing a phone

c. taking someone's phone and resetting their password

d. all of the above

d. all of the above

What is a remote attack?

attack over the internet

What is an example of a remote attack?

man in the middle attack

What is a passive attack?

attacker monitors and records data transmissions without changing them

What is an example of a passive attack?

a. packet sniffing (monitoring network traffic to capture sensitive data like passwords)

b. wiretapping (intercepting communications to listen in)

c. sending phishing emails/messages

d. both a and b

e. both b and c

f. both c and a

d. both a and b

What is an active attack?

When an attacker attempts to modify or delete data, or to prevent a network from operating correctly.

What is an example of an active attack?

a. sending phishing emails/messages

b. man in the middle attack

c. denial of service attack

d. actively probing someone's device

e. all of the above

e. all of the above

What are the possible attack surfaces for physical proximity?

steal and use device, direct connections via USB, close proximity radios (Bluetooth, NFC)

What are the attack surfaces for social engineering?

trick the user into installing malicious app(s)

What are the attack surfaces for a network?

passive eavesdropping, active attacks (man in the middle, SMS of death, etc)

What are the attack surfaces of a supply chain?

backdoor the OS, backdoor the handset (ex. OnePlus EngineeringMode), intercept and compromise handset in transit

(Hypothetical attackers) What are the capabilities of The Thief?

steal the phone, connect to USB or networks, disconnect the phone from the internet

(Hypothetical attackers) What are the goals of The Thief?

device itself, access to financial services

(Hypothetical attackers) How can you mitigate The Thief?

Strong authentication (strong password, biometrics), full device encryption, remote tracking and wiping

(The Thief) What are the issues with a strong password (strong authentication)?

annoying to enter

(The Thief) What are the issues with remote tracking and wiping?

won't work if the thief disconnects from the internet

(Hypothetical attackers) What are the capabilities of Law Enforcement?

steal phone, connect to USB or networks, disconnect phone from the internet, legally compel you to do things, infect you with surveillance malware

(Hypothetical attackers) What are the goals of Law Enforcement?

evidence from the device (messages, pictures, GPS logs)

(Hypothetical attackers) How can you mitigate Law Enforcement?

Strong authentication (strong password, biometrics), full device encryption, patch the OS and apps, avoid phishing attacks, don't use any cloud services

Why can you NOT use remote tracking and wiping when mitigating law enforcement?

obstruction fo justice --> crime

(Law enforcement) What are the issues with a strong password (strong authentication)?

annoying to enter

(Law enforcement) What are the issues with a biometrics (strong authentication)?

can compel you to unlock

(Law enforcement) What are the issues with patching the OS and apps?

manufacturers are slow to patch

(Law enforcement) What are the issues with avoiding phishing attacks?

requires constant vigilance

(Law enforcement) What are the issues with not using any cloud services?

prevents you from using most modern apps

(Hypothetical attackers) What are the capabilities of The Eavesdropper?

passively observe network traffic

(Hypothetical attackers) What are the goals of The Eavesdropper?

steal PII, passwords, bank account numbers, etc

(Hypothetical attackers) How do you mitigate The Eavesdropper?

use a Virtual Private Network (VPN)

(The Eavesdropper) Why can't you use HTTPS everywhere to mitigate attacks?

unclear which apps use HTTPS, no way to force HTTPS

(The Eavesdropper) What are the issues with using VPNs?

may slow your connection, free VPNs are scams

What mitigations are not relevant to prevent eavesdropping attacks?

strong authentication, full device encryption, patch OS and apps, avoid phishing attacks

(Hypothetical attackers) What are the capabilities of Three Letter Agencies?

passively observe network traffic, active network attacks

(Hypothetical attackers) What are the goals of Three Letter Agencies?

surveillance

(Hypothetical attackers) How do you mitigate attacks by Three Letter Agencies?

Use a VPN, use Tor, patch the OS and apps, disable JavaScript and plugins in web browser, no cloud services

(Three Letter Agencies) What are the issues with using VPNs?

free VPNs are scams, may slow your connection, does not provide anonymity

(Three Letter Agencies) What are the issues with using Tor?

very slow connection

(Three Letter Agencies) What are the issues with disabling JavaScript and plugins in web browser?

some websites will break

What is Tor?

fully encrypted/anonymous browser used to access the dark web and often used for illegal activities

How do you balance the cost and risk of mitigating against attacks?

assess the likelihood of different attacks (subjective --> change based upon context); compare to the cost of mitigations (risk/reward)

What is STRIDE?

designed to model and mitigate threats against software

What is the process of STRIDE?

1. identify assets

2. create an architecture overview (diagrams that map out the target system)

3. decompose the application (uncover vulnerabilities in design, implementation, or deployment)

4. identify the threats (keep the goals of attackers in mind)

5. document the threats

6. Rate the threats (prioritize and address the most significant threats)

What does the S in STRIDE stand for?

a. standing

b. spoofing

c. security

b. spoofing

What is spoofing (STRIDE)?

can I pretend to be someone else?

What does the T stand for in STRIDE?

a. tampering

b. traversable

c. tighten

a. tampering

What is tampering (STRIDE)?

can I maliciously change the content of the record?

What does the R stand for in STRIDE?

a. Repudiation

b. reproducible

c. reversible

a. Repudiation

What is repudiation (STRIDE)?

can I make the claim that I didn't do it?

What does the I stand for in STRIDE?

a. Information security

b. Information breach

c. Information disclosure

c. Information disclosure

What is information disclosure (STRIDE)?

can I obtain and publicly disclose your information?

What does the D stand for in STRIDE?

a. Denial of Service

b. Data

c. Defense

a. Denial of Service

What is denial of service (STRIDE)?

Can I hinder the performance of the server, and cause disruptions while preventing others from access?

What does the E stand for in STRIDE?

a. Escalation of the attack

b. Enumerability

c. Elevation/Escalation of Privileges

c. Elevation/Escalation of Privileges

What is elevation/escalation of privileges (STRIDE)?

can I obtain administrative privileges to install, modify, and configure your device?

What is DREAD?

method for calculating the risk scores for threats

What does the first D stand for in DREAD?

a. damage potential

b. damage caused

c. denial of service

d. desirability

e. discoverability

a. damage potential

What is damage potential (DREAD)?

how great is the damage if the vulnerability if exploited?

What is an example of damage potential (DREAD)?

10 million dollars in damages

What is the R in DREAD?

a. reproducibility

b. recorded

c. reversible

d. reduction of costs

a. reproducibility

What is reproducibility (DREAD)?

how easy is it to reproduce an attack?

What is an example of reproducibility (DREAD)?

the attack is very effective, but extremely difficult to execute/reproduce

What does the E stand for in DREAD?

a. Energy needed

b. Element of surprise

c. Exploitability

c. Exploitability

What is exploitability (DREAD)?

how easy is it to launch an attack?

What is an example of exploitability (DREAD)?

to launch the attack it requires deep knowledge and experience vs an attack that only requires the use of a browser

What does the A stand for in DREAD?

a. Affected users

b. Availability

c. Active v passive attack

a. Affected users

What is affected users (DREAD)?

as a rough percentage, how many users are affected?

What is an example of affected users (DREAD?

75% of users are affected

What does the second D stand for in DREAD?

a. damage potential

b. discoverability

c. desirability

e. damage caused

b. discoverability

What is discoverability (DREAD)?

how easy is it to find the vulnerability?

What is an example of discoverability (DREAD)?

everybody is aware of a design flaw in the company's system vs a vulnerability in a system that VERY few people know

What is an example of spoofing (STRIDE)?

an attacker sends an email from a fake email address to appear as if it comes from a legitimate source

What is an example of tampering (STRIDE)?

an attacker deleting important data/information from a data file

What is an example of repudiation (STRIDE)?

an attacker uses another users account to launch their attack and then denies being involved

What is an example of information disclosure (STRIDE)?

an attacker gains access to credit card information and publicly releases the credit card information

What is an example of denial of service (STRIDE)?

an attacker overloads an application with illegitimate requests in a short amount of time, overwhelming the application/website, bringing it down

What is an example of elevation/escalation of privileges (STRIDE)?

an attacker exploits a vulnerability in an authentication system, allowing them to gain administrator privileges, allowing them to change settings, steal sensitive information, etc

What are the fundamental goals of cryptography?

confidentiality (no eavesdropping), integrity (no unauthorized modifications), authenticity (no spoofing or faking), non-repudiation (no disclaiming of ownership)

What is the attacker threat model for passive interactions with messages and protocols (cryptography)?

only observes and attempts to decrypt messages --> only threatens confidentiality